What is the Heartbleed bug?
It is a vulnerability that affects certain versions of the popular OpenSSL protocol. The end result is that cyber criminals can potentially steal sensitive information, such as your password, credit card number, and social security number, from websites that use the OpenSSL protocol. Many of the popular websites such as Yahoo and Google use OpenSSL.
Codemonicon, the organization that announced this bug, said that they were able to exploit this bug to steal information from their own servers without leaving a trace.
How does Heartbleed impact me?
Even though there has been no documented evidence of any actual data breach, it is possible that hackers may have exploited this bug to obtain sensitive data including account passwords and credit card information from sites that uses an affected version of OpenSSL.
What should I do?
Below is what you should do if you have an account on one of these popular sites:
Apple: No action necessary.
Additionaly, several sites have more details:
There is a longer list where the top 10,000 Alexa sites were scanned for Heartbleed vulnerability on April 8, 2014: https://github.com/musalbas/heartbleed-masstest/blob/master/top10000.txt. If the list shows a site to be vulnerable, you'll want to make sure the site has been fixed (using one of the tools listed below) before changing your password.
Which sites should you check first? We recommend going in the following order:
1. Financial institutions
My favorite site is not on any list!
There are three things you can do:
1) Check the home page, the announcements section, or the blog of the website to see if they have made any references regarding Heartbleed.
2) Contact the website and ask them if their accounts are affected.
3) Use one of the following tools to see if your site may be vulnerable.
If you find a site to be vulnerable due to Heartbleed, do not change your password at this time, since changing the password before the bug is fixed is useless, as the new password may still be stolen. Rather, continue to check using the tool, and only change your password when the bug has been fixed.
If you find a site to be safe, unless there is some evidence that the site has not been affected, it is best to change the password right away to be safe.